Manage Client Access to the Windows Store

Published: February 29, 2012

Updated: March 24, 2014

Applies To: Windows 8

Windows Store is available in Windows® 8. IT Administrators can control the availability and functionality of Windows Store to client computers based on the business policies of their enterprise environment. The following covers frequently asked questions by IT Pros about managing aspects of client access to the Windows Store in an enterprise environment.

Windows apps are designed to be sleek, quick, and modern with groups of common tasks consolidated to speed up usage. The core concepts of a Windows app include good typography, large, eye-catching text, where the content is the main focus.

LOB stands for line-of-business. Line-of-business apps require users to authenticate using corporate credentials, access internal information, or are designed specifically for internal use. For example, an expense report app provided by the IT department for employees.

Sideloading, which is available in both Windows 8 and Windows Server 2012, refers to installing apps directly to a device without going through the Windows Store. LOB apps do not need to be certified by Microsoft and cannot be installed through the Windows Store, but they must be signed with a certificate chained to a trusted root certificate. We recommend that IT administrators use the same technical certification that is done by the Windows Store on LOB apps.

Yes. IT Administrators can use Group Policy to allow or prohibit their users from accessing the Windows Store, control the automatic download of updates for apps obtained from Windows Store, and allow or prevent the sideloading of apps.

Windows 8.1 and Windows Server 2012 R2 allow you to automatically install app updates in addition to downloading them. The Turn off Automatic Download of updates and Win8 machines policy setting does not have any effect on computers that are running Windows 8.1 or Windows Server 2012 R2, and has been replaced with the following policy: Computer Configuration/Administrative Templates/Store/Turn off Automatic Download and install updates. If this policy setting is enabled, app automatic updates are turned off; if the policy setting is disabled, app automatic updates are turned on.

Disables access to the Windows Store for individual users, but enables the computer to connect to the Windows Store service to detect new updates.

Windows Store cannot automatically install app updates in Windows 8 and Windows Server 2012; but by default, it automatically downloads updates, which can make manual installation of app updates faster. To turn off this behavior, enable the following policy setting: Computer Configuration/Administrative Templates/Store/Turn off Automatic Download of updates on Windows 8 machines.

Yes. Windows apps run with very limited user rights compared to their non-Windows 8 counterparts that run with standard user rights by default. Windows apps can access only those resources (files, folders, registry keys, and DCOM interfaces) to which they have been explicitly granted access. For example, if a new folder is created in C:\Personal Docs and files are copied into that folder, none of the Windows apps can access those files because the apps have not been granted explicit access. However, the access permissions (ACLs) on critical system resources such as the Windows\System32 folder contain a special rule (ACE) that grants all Windows apps the permissions necessary for any app to run.

The figure below highlights the default permissions on the Windows\System32 folder that grant read and execute permissions to all Windows apps:

The default permissions (ACLs) on system resources can be modified using different methods. For example:

The access and launch permissions on DCOM interfaces can be modified through the following Group Policy setting: Local Policies, Security Options, DCOM: Machine Access/Launch Restrictions in SDDL Syntax.

While configuring the access permissions on any of these resources, it is important to identify which of these resources grants access to all Windows apps and ensure that the new effective permissions do not remove that access. When supplying the permissions in SDDL form, the security identifier (SID) for ALL APPLICATION PACKAGES is S-1-15-2-1.

We offer support for enterprises that want direct control over the deployment of LOB apps. Enterprises can choose to deploy LOB apps directly to the computers they manage without going through the Windows Store infrastructure.

By default, the only Windows apps that can be installed on Windows 8 are ones that are installed from the Windows Store.

An IT Administrator can control access to which Windows apps can be installed by using App Locker. These policies can be enabled on apps from the Windows Store or LOB apps that have been sideloaded by the IT Administrator.

For more information about using App Locker to manage Windows apps, see the AppLocker Overview.